{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-34031", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.546Z", "datePublished": "2025-06-24T00:58:57.345Z", "dateUpdated": "2026-05-14T02:07:24.308Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Moodle filter_jmol plugin (jsmol.php proxy script)"], "product": "Jmol Plugin", "vendor": "Moodle", "versions": [{"lessThanOrEqual": "6.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geoffrowland:jmol:*:*:*:*:*:moodle:*:*", "versionEndIncluding": "6.1", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Dionach by Nomios"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC."}], "value": "A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:07:24.308Z"}, "references": [{"tags": ["exploit", "technical-description"], "url": "https://www.dionach.com/moodle-jmol-plugin-multiple-vulnerabilities/"}, {"tags": ["third-party-advisory", "exploit"], "url": "https://www.exploit-db.com/exploits/46881"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/moodle-lms-jmol-plugin-path-traversal"}], "source": {"discovery": "UNKNOWN"}, "tags": ["x_known-exploited-vulnerability"], "title": "Moodle LMS Jmol Plugin Path Traversal", "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-05-21T00:00:00.000Z"}, "adp": [{"references": [{"url": "https://www.exploit-db.com/exploits/46881", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-25T12:37:56.527120Z", "id": "CVE-2025-34031", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-25T12:43:16.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34031", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-25T12:37:56.527120Z"}}}], "references": [{"url": "https://www.exploit-db.com/exploits/46881", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-25T12:38:10.995Z"}}], "cna": {"tags": ["x_known-exploited-vulnerability"], "title": "Moodle LMS Jmol Plugin Path Traversal", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Dionach by Nomios"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Moodle", "modules": ["Moodle filter_jmol plugin (jsmol.php proxy script)"], "product": "Jmol Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "6.1"}], "defaultStatus": "unaffected"}], "datePublic": "2019-05-21T00:00:00.000Z", "references": [{"url": "https://www.dionach.com/moodle-jmol-plugin-multiple-vulnerabilities/", "tags": ["exploit", "technical-description"]}, {"url": "https://www.exploit-db.com/exploits/46881", "tags": ["third-party-advisory", "exploit"]}, {"url": "https://vulncheck.com/advisories/moodle-lms-jmol-plugin-path-traversal", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.", "supportingMedia": [{"type": "text/html", "value": "A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:geoffrowland:jmol:*:*:*:*:*:moodle:*:*", "vulnerable": true, "versionEndIncluding": "6.1", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:07:24.308Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34031", "state": "PUBLISHED", "dateUpdated": "2026-05-14T02:07:24.308Z", "dateReserved": "2025-04-15T19:15:22.546Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-06-24T00:58:57.345Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geoffrowland:jmol:*:*:*:*:*:moodle:*:*", "matchCriteriaId": "276659B7-AC53-4A06-BAEA-74544F273242", "versionEndIncluding": "6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC."}, {"lang": "es", "value": "Existe una vulnerabilidad de path traversal en el complemento Moodle LMS Jmol versi\u00f3n 6.1 y anteriores mediante el par\u00e1metro de consulta en jsmol.php. El script pasa directamente la entrada del usuario a la funci\u00f3n file_get_contents() sin la validaci\u00f3n adecuada, lo que permite a los atacantes leer archivos arbitrarios del sistema de archivos del servidor mediante la manipulaci\u00f3n de un valor de consulta malicioso. Esta vulnerabilidad puede explotarse sin autenticaci\u00f3n y puede exponer datos de configuraci\u00f3n confidenciales, incluidas las credenciales de la base de datos."}], "id": "CVE-2025-34031", "lastModified": "2025-11-20T22:15:55.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-06-24T01:15:23.340", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/moodle-lms-jmol-plugin-path-traversal"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.dionach.com/moodle-jmol-plugin-multiple-vulnerabilities/"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.exploit-db.com/exploits/46881"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.exploit-db.com/exploits/46881"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T01:22:19.886659+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Moodle Jmol plugin version that fixes the path traversal flaw.", "If an upgrade cannot be performed immediately, place the Moodle directory and the jsmol.php endpoint behind a firewall or web application firewall rule that blocks requests containing \"..\" or multiple slashes, and restrict file system access permissions.", "Configure the Moodle environment to validate and sanitize the query parameter before it is passed to file_get_contents(), ensuring only allowed paths are accessed.", "Monitor web logs for unexpected file read attempts and alert on suspicious activity."], "summary": {"action": "Patch Immediately", "impact": "Read arbitrary files, exposing sensitive configuration and credentials"}, "threat_synthesis": {"affected_systems": "Any Moodle installation that has Jmol plugin version 6.1 or older is affected. This includes all deployments that have not upgraded the plugin beyond the stated version. The problem is limited to the Jmol plugin module and does not involve other Moodle components.", "description_and_impact": "A recent vulnerability in Moodle\u2019s Jmol plugin allows attackers to traverse the filesystem and read any file on the server. The flaw resides in the jsmol.php script, which accepts a query parameter and passes it directly to file_get_contents() without sanitization. An attacker can supply a crafted value that causes the server to read arbitrary files, including configuration files that store database credentials. The issue can be triggered without authentication, and Shadowserver confirmed exploitation in February 2025.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.7, indicating high severity, and an EPSS of 18%, suggesting a substantive likelihood of exploitation in the near term. It is not listed in CISA\u2019s KEV catalog, but the recent proof\u2011of\u2011concept activity and the high EPSS indicate that it may be actively targeted. Attackers can exploit this flaw remotely via HTTP requests, bypassing authentication, and read sensitive files directly from the file system."}}}}, "created": "2026-04-28T01:30:17.916119+00:00", "updated": "2026-04-28T01:30:17.916129+00:00", "vendors": []}